| Source: 00000003.00000002.29960207912.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "185.222.57.217:8780:|", "Assigned name": "Host", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_rurbibqnnhyclpl", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "remcos"} |
| Source: 00000001.00000002.25193370365.00000000032C1000.00000040.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://185.222.57.79/SALES/1%20FEB%202-22_jalPPiWqFb130.bin"} |
| Source: |
Binary string: mshtml.pdb source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000001.25048749211.0000000000649000.00000008.00000001.01000000.00000005.sdmp |
| Source: |
Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\ThrottlePlugin.pdb source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
| Source: |
Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\ThrottlePlugin.pdb00 source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
| Source: |
Binary string: mshtml.pdbUGP source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000001.25048749211.0000000000649000.00000008.00000001.01000000.00000005.sdmp |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 185.222.57.79 |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960026730.00000000018BF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.222.57.79/ |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960026730.00000000018BF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.222.57.79/SALES/1 |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960026730.00000000018BF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.222.57.79/SALES/1%20FEB%202-22_jalPPiWqFb130.bin |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29959603610.0000000001868000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.222.57.79/SALES/1%20FEB%202-22_jalPPiWqFb130.binY |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
| Source: user-not-tracked-symbolic.svg.1.dr |
String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/ |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.dr |
String found in binary or memory: http://creativecommons.org/ns# |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25187530812.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.dr |
String found in binary or memory: http://creativecommons.org/ns#Attribution |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25187530812.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.dr |
String found in binary or memory: http://creativecommons.org/ns#DerivativeWorks |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25187530812.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.dr |
String found in binary or memory: http://creativecommons.org/ns#Distribution |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25187530812.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.dr |
String found in binary or memory: http://creativecommons.org/ns#Notice |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25187530812.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.dr |
String found in binary or memory: http://creativecommons.org/ns#Reproduction |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25187530812.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.dr |
String found in binary or memory: http://creativecommons.org/ns#ShareAlike |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0 |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: http://crl.globalsign.com/root.crl0G |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000001.25048749211.0000000000649000.00000008.00000001.01000000.00000005.sdmp |
String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference. |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, MDDINGEN.exe.3.dr |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: http://ocsp.digicert.com0C |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: http://ocsp.digicert.com0O |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: http://ocsp.globalsign.com/rootr103 |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: http://ocsp2.globalsign.com/rootr306 |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0 |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: http://www.digicert.com/CPS0 |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000001.25048749211.0000000000649000.00000008.00000001.01000000.00000005.sdmp |
String found in binary or memory: http://www.gopher.ftp://ftp. |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000001.25048579911.0000000000626000.00000008.00000001.01000000.00000005.sdmp |
String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000001.25048337068.00000000005F2000.00000008.00000001.01000000.00000005.sdmp |
String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000001.25048337068.00000000005F2000.00000008.00000001.01000000.00000005.sdmp |
String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000001.25048749211.0000000000649000.00000008.00000001.01000000.00000005.sdmp |
String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214 |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: https://www.digicert.com/CPS0 |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
String found in binary or memory: https://www.globalsign.com/repository/0 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
1_2_00405809 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
1_2_00403640 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_00406D5F |
1_2_00406D5F |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_719D1BFF |
1_2_719D1BFF |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032CCBB5 |
1_2_032CCBB5 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032CE1CD |
1_2_032CE1CD |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C533D |
1_2_032C533D |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C8F32 |
1_2_032C8F32 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C6706 |
1_2_032C6706 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C6772 |
1_2_032C6772 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C8B4C |
1_2_032C8B4C |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C8757 |
1_2_032C8757 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C67EE |
1_2_032C67EE |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032CEBE0 |
1_2_032CEBE0 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C5224 |
1_2_032C5224 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032CEE3E |
1_2_032CEE3E |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032CE632 |
1_2_032CE632 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C6662 |
1_2_032C6662 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C864B |
1_2_032C864B |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C9A93 |
1_2_032C9A93 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C86E7 |
1_2_032C86E7 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032CAACE |
1_2_032CAACE |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C6936 |
1_2_032C6936 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C890D |
1_2_032C890D |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C5552 |
1_2_032C5552 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C51A5 |
1_2_032C51A5 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C69A7 |
1_2_032C69A7 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C5587 |
1_2_032C5587 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C8595 |
1_2_032C8595 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C8593 |
1_2_032C8593 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C85EE |
1_2_032C85EE |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C55D6 |
1_2_032C55D6 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C503A |
1_2_032C503A |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C8808 |
1_2_032C8808 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C501D |
1_2_032C501D |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C5478 |
1_2_032C5478 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C88A2 |
1_2_032C88A2 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C5CBF |
1_2_032C5CBF |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C508C |
1_2_032C508C |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C6888 |
1_2_032C6888 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C5094 |
1_2_032C5094 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C50F2 |
1_2_032C50F2 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C54CF |
1_2_032C54CF |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
1_2_00403640 |
| Source: |
Binary string: mshtml.pdb source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000001.25048749211.0000000000649000.00000008.00000001.01000000.00000005.sdmp |
| Source: |
Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\ThrottlePlugin.pdb source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
| Source: |
Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\ThrottlePlugin.pdb00 source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25190200051.000000000295C000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr |
| Source: |
Binary string: mshtml.pdbUGP source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000001.25048749211.0000000000649000.00000008.00000001.01000000.00000005.sdmp |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_719D30C0 push eax; ret |
1_2_719D30EE |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C3A02 push ebp; retf |
1_2_032C3C98 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C8F18 push 00000038h; retf |
1_2_032C8F2D |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C974A push es; retf |
1_2_032C9822 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C424A push dword ptr [esi-4Dh]; iretd |
1_2_032C4326 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C729B push ds; iretd |
1_2_032C729F |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C42EA push dword ptr [esi-4Dh]; iretd |
1_2_032C4326 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C4126 push dword ptr [esi-4Dh]; iretd |
1_2_032C4326 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C419B push dword ptr [esi-4Dh]; iretd |
1_2_032C4326 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C99D3 push edi; retf |
1_2_032C9A11 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C3C86 push ebp; retf |
1_2_032C3C98 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C40FD push dword ptr [esi-4Dh]; iretd |
1_2_032C4326 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C34C7 push ss; iretd |
1_2_032C34C9 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25194257929.0000000004F49000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Guest Shutdown Service |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25194257929.0000000004F49000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25194257929.0000000004F49000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicshutdown |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25194257929.0000000004F49000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25194257929.0000000004F49000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V PowerShell Direct Service |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25194257929.0000000004F49000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Time Synchronization Service |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25194257929.0000000004F49000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicvss |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960096918.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29959850772.0000000001899000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960096918.00000000018CE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWkKvA |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25193747367.00000000033B1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25194257929.0000000004F49000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Data Exchange Service |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25194257929.0000000004F49000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Heartbeat Service |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25194257929.0000000004F49000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Guest Service Interface |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25194257929.0000000004F49000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicheartbeat |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000001.00000002.25193747367.00000000033B1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\mshtml.dll |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C8B7A mov eax, dword ptr fs:[00000030h] |
1_2_032C8B7A |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C8B4C mov eax, dword ptr fs:[00000030h] |
1_2_032C8B4C |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032CEBE0 mov eax, dword ptr fs:[00000030h] |
1_2_032CEBE0 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032CB229 mov eax, dword ptr fs:[00000030h] |
1_2_032CB229 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032CEE3E mov eax, dword ptr fs:[00000030h] |
1_2_032CEE3E |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032CDE50 mov eax, dword ptr fs:[00000030h] |
1_2_032CDE50 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C8D2A mov ebx, dword ptr fs:[00000030h] |
1_2_032C8D2A |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C8D19 mov ebx, dword ptr fs:[00000030h] |
1_2_032C8D19 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C8D19 mov eax, dword ptr fs:[00000030h] |
1_2_032C8D19 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C8595 mov eax, dword ptr fs:[00000030h] |
1_2_032C8595 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C8593 mov eax, dword ptr fs:[00000030h] |
1_2_032C8593 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C8C0A mov eax, dword ptr fs:[00000030h] |
1_2_032C8C0A |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C8CBE mov eax, dword ptr fs:[00000030h] |
1_2_032C8CBE |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_032C508C mov eax, dword ptr fs:[00000030h] |
1_2_032C508C |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960241584.0000000001CF6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: d|0|cmd|Program Manager |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960241584.0000000001CF6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960241584.0000000001CF6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Managerer |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960241584.0000000001CF6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: d|0|cmd|Program Manager|cmd| |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960241584.0000000001CF6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manageranager |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29984241513.000000001D52D000.00000004.00000010.00020000.00000000.sdmp, logs.dat.3.dr |
Binary or memory string: [ Program Manager ] |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960241584.0000000001CF6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: art]Bpong|cmd|0|cmd|Program Manager|cmd|107|cmd|82453234 |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960241584.0000000001CF6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: d|0|cmd|Program Manager|cmd|109|cmd|$+vx$+vx |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960241584.0000000001CF6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: d|0|cmd|Program Manager|cmd|121|cmd|87943281 |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960241584.0000000001CF6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: art]Bpong|cmd|0|cmd|Program Manager|cmd|109|cmd|91603265C,, |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960241584.0000000001CF6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: d|0|cmd|Program Manager|cmd|109 |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960241584.0000000001CF6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: art]Bpong|cmd|0|cmd|Program Manager|cmd|121|cmd|87943281C |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960241584.0000000001CF6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: d|0|cmd|Program Manager|cmd|107|cmd|82453234ember:Oct:October:Nov:November:Dec:DYY |
| Source: SecuriteInfo.com.Trojan.Inject.3564.exe, 00000003.00000002.29960241584.0000000001CF6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: d|0|cmd|Program Manager|cmd|109|cmd|91603265 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
1_2_00403640 |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet